.bazelrc: recommend --lockfile_mode=error (#162)

* .bazelrc: recommend --lockfile_mode=error

This should improve security posture for new rules and hopefully sets
a good example for new Bazel projects in general.

This flag is for regular builds, not when updating dependencies.
It can't be used across Bazel versions either unfortunately.

Signed-off-by: Jay Conrod <[email protected]>

* make module extension reproducible and os- and arch-independent

* upgrade gazelle to get reproducible go_deps, go_sdk

---------

Signed-off-by: Jay Conrod <[email protected]>

Author: jayconrod

.bazelrc

@@ -10,6 +10,21 @@ common --enable_bzlmod
 # https://bazelbuild.slack.com/archives/C014RARENH0/p1691158021917459?thread_ts=1691156601.420349&cid=C014RARENH0
 common --check_direct_dependencies=off
 
+# Ensure that the MODULE.bazel.lock file is complete and committed.
+# This is an important security measure: it ensures that developers on the
+# same rule set download dependencies at the same versions with the same bits.
+# This setting does not affect modules that depend on this module.
+#
+# When updating dependencies, use --lockfile_mode=refresh, for example:
+#     bazel mod tidy --lockfile_mode=refresh
+#
+# When testing different versions of Bazel, use --lockfile_mode=update or
+# --lockfile_mode=off. The lock file format changes over time, and different
+# versions of Bazel may expect different syntax. Bazel also implicitly requires
+# some modules, and different versions have different dependencies, which
+# also affects the contents of the lock file.
+common --lockfile_mode=error
+
 # Load any settings specific to the current user.
 # .bazelrc.user should appear in .gitignore so that settings are not shared with team members
 # This needs to be last statement in this

MODULE.bazel

@@ -34,7 +34,7 @@ bazel_dep(name = "bazel_skylib", version = "1.4.1")
 bazel_dep(name = "package_metadata", version = "0.0.5")
 bazel_dep(name = "platforms", version = "0.0.5")
 
-bazel_dep(name = "gazelle", version = "0.35.0", dev_dependency = True, repo_name = "bazel_gazelle")
+bazel_dep(name = "gazelle", version = "0.45.0", dev_dependency = True, repo_name = "bazel_gazelle")
 bazel_dep(name = "bazel_skylib_gazelle_plugin", version = "1.4.1", dev_dependency = True)
 bazel_dep(name = "bazel_lib", version = "3.0.0", dev_dependency = True)
 bazel_dep(name = "buildifier_prebuilt", version = "6.1.2", dev_dependency = True)